To date, the Philippine government has not yet passed a law which specifically provides rules and regulations regarding the metaverse. 

Nonetheless, government agencies in the Philippines recognise the potential of virtual asset systems to revolutionalise digital transactions. In particular, in 2021 the Bangko Sentral ng Pilipinas (BSP), which is the central bank of the Philippines, issued Circular No 1108 providing regulations for virtual asset service providers (VASPs).

Under BSP Circular No 1108, a VASP is defined as any entity that offers services or engages in activities that provide for the transfer or exchange of virtual assets, which involve one or more of the following activities:

• exchange between virtual assets and fiat currencies;
• exchange between one or more forms of virtual assets;
• transfer of virtual assets; and
• safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets.

The Circular defines “virtual assets” or “VAs” as any types of digital unit that can be digitally traded or transferred, and that can be used for payment or investment purposes. They can be considered as “properties”, “proceeds”, “funds”, “funds or other assets”, and other “corresponding value” that can be used as a medium of exchange or a form of digitally stored value created by agreement within the community of VA users. However, digital units of exchange are not considered as VAs where they are used for:

• the payment of goods and services solely provided by their issuer or a limited set of merchants specified by their issuer (eg, gift checks); or
• the payment of virtual goods and services within an online game (eg, gaming tokens).

The BSP has also recognised non-fungible tokens or “NFTs” as a class of virtual asset that establishes ownership of a unique asset (digital or physical) such as digital arts and music. Nonetheless, the BSP noted that NFTs in the form of gaming tokens are a form of digital units of exchange, which are excluded under the regulations of BSP Circular No 1108.

Under BSP Circular No 1108, an entity which falls under the definition of a VASP is required to secure a certificate of authority (COA) as a money service business (MSB). In the course of a COA application, the BSP shall take into account and extend its evaluation over the fitness and propriety of the VASP’s beneficial owners.

Pursuant to the provisions of the BSP Circular, VASPs are only allowed engage in transactions with other VASPs, financial institutions and/or remittance and transfer companies that are duly authorised and licensed with the appropriate regulatory authorities. The transfer of virtual assets between VASPs and other BSP-supervised financial institutions (BSFIs) shall also be considered as cross-border wire transfers. In addition, the transactions must comply with the pertinent rules on wire transfers issued by the BSP.

BSP Circular No 1108 also seeks to address challenges that are typically associated with transactions performed using virtual assets, such as having adequate cybersecurity and ensuring confidentiality and integrity of data. Thus, under the Circular, VASPs are mandated to have the following, among others.

• A sound risk management system to mitigate risks arising from outsourcing.
• An internal control system commensurate with the nature, size and complexity of their business.
• Customer awareness measures to educate their customers on matters including:
1. safeguarding of VAs and/or fiat currency wallets as well as protection of client information such as login credentials;
2. use of the mobile platform and wallets;
3. actual fees and charges related to the use of the mobile platform and withdrawal transactions; and
4. problem-resolution procedures.
• Customer due diligence.

Currently, there is a moratorium for applications for VASP licences for a period of three years, starting 1 September 2022. To date, the BSP has not yet lifted the moratorium.

Laws Regulating the Digital Economy

To aid the Philippines in boosting its digital economy, various laws and regulations have been passed by the Philippine government and its agencies to provide legal validity to digital transactions, and to regulate activities provided by entities providing digital services. Among the key policies passed are the following.

The E-Commerce Act

Recognising the role of information and communications technology (ICT) in nation-building, the Philippine government enacted Republic Act (RA) No 8792 (the “E-Commerce Act”) as early as the year 2000. This law aims to facilitate transactions, exchanges and storage of information through the utilisation of electronic, optical and similar mediums, modes, instrumentality and technology.

Through the E-Commerce Act, electronic data messages, electronic documents and electronic signatures were given legal effect, validity or enforceability. The legislation likewise recognised that contracts may be expressed in, demonstrated by and proved by means of electronic data messages or electronic documents, and no contract shall be denied validity or enforceability on the sole ground that it is in the form of an electronic data message or electronic document.

The National Payment Systems Act

RA No 11127, otherwise known as the National Payment Systems Act (NPSA), was passed and signed into law on 30 October 2018. Through said law, the government aims to promote the safe, secured, efficient and reliable operation of payment systems. Hence, all operators of payment systems (OPS) are required to register with the BSP.

To implement the provisions of the NPSA, the BSP issued BSP Circular No 1049, series of 2019, providing for the Rules and Regulations on the Registration of OPS. The BSP also issued BSP Circular No 1089, series of 2020, or the Payment System Oversight Framework (PSOF), which sets out the regulatory approach of the BSP in overseeing payment systems in the Philippines.

Pursuant to the rule-making powers of the BSP, the following activities are considered operations of a payment system, and entities performing such activities are required to register as OPS:

• maintaining the platform that enables payments or fund transfers, regardless of whether the source and destination accounts are maintained with the same or different institutions;
• operating the system or network that enables payments or fund transfers to be made through the use of a payment instrument; and
• providing a system that processes payments on behalf of any person or the government.

If an OPS is also a BSFI engaged in payments and settlements, it must additionally comply with the provisions of BSP Circular No 970, series of 2017, or the Adoption of a National Retail Payment System Framework (NRPS). The NRPS is a policy and regulatory framework that aims to provide direction in carrying out retail payment activities through BSFIs by defining high-level policies, principles and standards, which when adopted would lead to the establishment of a safe, efficient and reliable retail payment system.

The Credit Card Law

With the objective of promoting fair and sound consumer credit practices which are aligned with global best practices, the Philippine government also enacted RA No 10870, otherwise known as the “Credit Card Law”. Said law defines a “credit card” as any card or other credit device intended for the purpose of obtaining money, property or services on credit.

Through the Credit Card Law, the BSP supervises all credit card issuers and acquirers. A “credit card issuer” refers to a bank or a corporation that offers the use of its credit card. An “acquirer” refers to the institution that accepts and facilitates the processing of the credit card transaction which is initially accepted by the merchant.

Under the Law, credit card issuers and acquirers must establish an appropriate system for managing risk exposures arising from credit card operations. Credit card issuers are also mandated to conduct know-your-client (KYC) procedures and exercise proper diligence in ascertaining that applicants possess good credit standing and are financially capable of fulfilling their credit commitments. Further, credit card issuers are mandated to determine, based on the credit standing and financial capacity of the cardholder, the credit limit to be extended to the cardholder.

BSP regulations for electronic money issuers

Given the rise of digital payments performed online and through the use of mobile applications, the Philippine government also issued regulations to regulate such transactions. In particular, the BSP Manual of Regulations for Non-Bank Financial Institutions (MORNBFI) provides for regulations on the issuance and operations of electronic money (“e-money”) issuers (EMI). E-money is defined therein as monetary value represented by a claim on its issuer, and that is:

• electronically stored in an instrument or device;
• issued against receipt of funds of an amount not lesser in value than the monetary value issued;
• accepted as a means of payment by persons or entities other than the issuer;
• withdrawable in cash or cash equivalent; and
• issued in accordance with the regulations in the MORNBFI.

EMIs are entities authorised by the BSP which provide money transfer or remittance services using electronic stored money value systems and similar digital financial services. EMIs are required to be registered with the BSP before they can operate.

There are no foreign equity limitations for entities that engage in the business of an EMI. Nevertheless, EMIs are required to have a minimum paid-up capital of PHP100 million.

Currently, there is a two-year moratorium on the issuance of EMI licences, which commenced on 16 December 2021. The moratorium is expected to be lifted by 16 December 2023.

The Data Privacy Act

RA No 10173, otherwise known as the Data Privacy Act (DPA) was enacted by the Philippine government to protect the fundamental human right of privacy of communication, while ensuring free flow of information to promote innovation and growth. The DPA and its implementing rules and regulations (IRR) provide that the processing of personal data shall be allowed subject to adherence to principles of transparency, legitimate purpose and proportionality.

The DPA also has extraterritorial application and therefore applies to an act performed, or a practice engaged in, in and outside the Philippines by an entity if:

• the act, practice or processing relates to personal information about a Philippine citizen or resident;
• the entity has a link with the Philippines, and the entity is processing personal information in the Philippines, or even processing outside the Philippines as long as said information is about Philippine citizens or residents; or
• the entity has other links in the Philippines.

In ensuring security of personal information, the DPA mandates personal information controllers (PICs) to implement reasonable and appropriate organisational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.

Legal Challenges in Relation to the Digital Economy

The rise in digital transactions also provides challenges to its key players, which include the entities providing the digital transactions and their users. Some of these challenges include the following.

Fraudulent transactions

A common trend is the rise of fraudulent transactions facilitated through various digital platforms, such as phishing. Phishing is the fraudulent process of attempting to acquire private or confidential information by masquerading as a trustworthy entity in an electronic communication. In order to prevent such practices, PICs must implement appropriate security measures to catch cases of phishing and be able to prevent their occurence for the protection of data subjects.

Protecting confidentiality of client information

Another challenge is ensuring the confidentiality of client information, especially that being processed by financial institutions. The BSP Manual of Regulations for Banks (MORB) mandates financial institutions to implement measures such as the following:

• having a written privacy policy in place to safeguard customers’ personal information;
• ensuring that privacy policies are regularly communicated throughout the organisation;
• having appropriate systems in place to protect the confidentiality and security of the personal data of customers against unauthorised access;
• having appropriate policies and practices in place for employee management and training to assess and address the risks to customers’ personal information; and
• having a strong IT system in place to protect customers’ personal information.

Compliance with the DPA

To ensure compliance with the mandates under the DPA, various offences relating to data privacy have been identified and specific penalties provided for under the DPA. In particular, unauthorised processing, accessing due to negligence, and improper disposal of personal information and sensitive personal information are among those acts considered as offences under the DPA. The penalties for said offences range from fines to even imprisonment.

In addition, the rise of digital transactions has also resulted in incidents involving a “personal data breach” or a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. In cases where sensitive personal information or any other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorised person, the DPA requires PICs to notify the National Privacy Commission (NPC) and the affected data subjects.

The Philippine Government’s Cloud First Policy

On 18 January 2017, the Philippine Department of Information and Communications Technology (DICT) promulgated through its Departmental Circular No 2017-002 the Philippine government’s Cloud First Policy (the “Cloud First Policy”). Under Section 4.1 of the Cloud First Policy, “cloud computing” was defined as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (eg, networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”.

Through the Cloud First Policy, the Philippine government aimed to eliminate the duplication of hardware and systems, and fragmentation of databases. The policy also aims to promote within the Philippine government the use of cloud computing technology in order to reduce costs, increase employee productivity and develop excellent online services for Philippine citizens.

The Cloud First Policy mandates government departments and agencies to consider cloud computing solutions as a primary part of their infrastructure planning and procurement. In the storage, use and processing of data, all government agencies and instrumentalities of the Republic of the Philippines are required to adopt cloud computing as the preferred ICT deployment strategy, method or technology for administrative use or for the delivery of government services.

Government agencies are recommended to select the appropriate cloud deployment model according to the agency’s specific needs and the type of data it handles. Depending on the classification of the agency’s data, there will be a requirement to apply certain controls.

The Cloud First Policy provides that security and compliance responsibilities in developing cloud systems are shared between the cloud service provider (CSP) and the government agency. The level of responsibility on both parties depends on the cloud deployment model type. The contracting agency is responsible for selecting and implementing security controls for any workloads that it operates in the cloud, while the CSP is responsible for ensuring that the services used by the contracting agency are highly secure and resilient so they are available to use on demand.

The Cloud First Policy also provides that the DICT will develop a list of accredited cloud service providers. The pre-accredited list of cloud vendors would have been pre-vetted to ensure their services meet or exceed the mandatory security controls for government cloud usage.

Policy on Cloud Computing for Financial Institutions

Under BSP Circular No 808, cloud computing is considered as a migration from owned resources to shared resources in which client users receive information technology (IT) services, on demand, from CSPs via the internet “cloud”.

Given the increased probability of risk and exposure to potential issues related to business operations, such as ensuring confidentiality, the BSP would only allow the use of public cloud computing models for non-core operations and business processes that do not directly involve sensitive data. These would include emails, office productivity, collaboration tools, claims and legal management. Conversely, core operations and business processes whose importance is fundamental in ensuring continuous and undisturbed operation of IT systems used to directly perform banking and financial services are not allowed to use public cloud computing services. These would include loans, trusts and treasury systems, automated teller machine (ATM) switch operations, electronic delivery systems and systems used to record banking operations.

Under BSP Circular No 808, a financial institution should consult the BSP before making any significant commitment on cloud computing. In addition, the financial institution should understand the applicability of local laws and regulations, and ensure that its contract with a CSP specifies obligations pertaining to the financial institution’s responsibilities for compliance with relevant laws and regulations.

The use of outsourced cloud services to achieve the financial institution’s strategic plan does not diminish the responsibility of the board of directors and of the management to ensure that the outsourced activity is conducted in a safe and sound manner, and in compliance with applicable laws and regulations. An outsourcing policy approved by the board of directors and a rationale for outsourcing to the cloud environment are required to be in place to ensure that the board is fully apprised of all the risks identified.

In addition, financial institutions are mandated to have a vendor management process in place that proactively monitors the performance of the CSP on an ongoing basis. This is also to guarantee availability and reliability of the services provided, and the ability to provide consistent quality of service to support normal and peak business requirements.

Lastly, to effectively monitor services including risk and risk mitigation associated with the use of a CSP, the financial institution and the CSP should agree in advance that the financial institution shall have access to the CSP to audit and verify the existence and effectiveness of internal and security controls. In addition, the parties may also agree on the right to an audit clause via an external party as a way to validate other control aspects that are not otherwise accessible or assessable by the financial institution’s own audit staff.

Processing of Personal Data in the Context of Cloud Computing

Given that cloud computing is normally outsourced to CSPs, both the entities outsourcing personal data and the CSP should ensure that the processing of the personal data satisfies the criteria for lawful processing under the DPA. Thus, in cases where the processing of personal data is outsourced to a CSP, the entity which outsourced the processing of personal data still remains primarily accountable for the protection of personal data under its control.

Under the DPA, the entity which outsourced the data processing is required to use contractual or other reasonable means to ensure that proper safeguards are in place, to ensure the confidentiality, integrity and availability of the personal data, and prevent its use for unauthorised purposes. Further, under the IRR of the DPA, the contract for outsourcing processing of personal data, including that outsourced to CSPs, must inter alia include the following:

• that the processing of the personal data shall be made only upon the documented instructions of the entity which outsourced the data processing;
• ensuring that an obligation of confidentiality is imposed on persons authorised to process the personal data;
• not engaging another processor without prior instruction from the entity which outsourced the data processing;
• at the choice of the entity which outsourced the data processing, deleting or returning all personal data to the outsourcing entity after the end of the provision of services relating to the processing; and
• allowing for and contributing to audits, including inspections conducted by the outsourcing entity.

Both CSPs and the entity outsourcing the processing of the personal data are mandated to implement reasonable and appropriate organisational, physical and technical security measures for the protection of personal data. They should  take steps to ensure that any natural person acting under their authority and who has access to personal data does not process it except upon their instructions, or as required by law.

Laws or Regulations Regulating Artificial Intelligence (AI) and Big Data

Currently, there is no law in the Philippines which specifically provides regulations for AI and big data. Nonetheless, there are laws which may be applicable in relation to the use of AI and big data in the Philippines, such as the following.

The Intellectual Property Code (the “IP Code”)

The Philippine IP Code (RA No 8293) classifies computer programs as original intellectual creations in the literary and artistic domain whose copyright belongs to the author of the work and that are protected from the moment of their creation. A “computer program” is defined as “a set of instructions expressed in words, codes, schemes or in any other form, which is capable, when incorporated in a medium that the computer can read, of causing the computer to perform or achieve a particular task or result”.

By having a copyright, the author shall have the exclusive right to carry out, authorise or prevent the following acts, among others:

• reproduction of the work or substantial portion of the work;
• the first public distribution of the original and each copy of the work by sale or other forms of transfer of ownership; and
• rental of the original or a copy of the computer program.

The IP Code also provides for usage of computer data, which may be considered as fair use, or a non-infringement of copyright. In particular, decompilation, which is the reproduction of the code and translation of the forms of the computer program to achieve the interoperability of an independently created computer program with other programs, is considered fair use.

The Data Privacy Act

The DPA takes into account that emerging technology such as AI may process personal data, including big data, through automated processes. Thus, under the DPA, a PIC carrying out any wholly or partly automated processing operations or set of such operations intended to serve a single purpose or several related purposes is required to notify the National Privacy Commission (NPC) when the automated processing becomes the sole basis for making decisions about a data subject, and when the decision would significantly affect the data subject. In addition, the DPA provides rights to which data subjects are entitled in relation to the automated processing of their personal information, which include the following.

Right to be informed

The data subject has a right to be informed whether personal data pertaining to them shall be, is being, or has been processed, including the existence of automated decision-making and profiling. Prior to entry of personal data in the processing system, the data subject has the right to be notified and furnished with information regarding the methods utilised for automated access and the extent to which such access is authorised, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Right to object

The data subject shall have the right to object to the processing of their personal data, including processing for direct marketing, automated processing or profiling.

Right to access

The data subject has the right to reasonable access, upon demand, to information on automated processes where the data will or is likely to be made as the sole basis for any decision that significantly affects or will affect the data subject.

There is currently no law in the Philippines which specifically provides regulations for the internet of things (IoT), which is commonly described as a system of interconnected devices that enables objects to collect and exchange data that would allow execution of specific commands. Nonetheless, certain provisions under the DPA may apply in relation to activities involving machine-to-machine communications.

In particular, the DPA provides guidelines for “data sharing”, which is defined as the “disclosure or transfer to a third party of personal data under the custody of a PIC or personal information processor (PIP)”. For the collection and exchange of data between and among machines, the PIC will be responsible for any personal data under its control or custody, including that where the processing has been outsourced or subcontracted to a PIP.

The DPA defines a “PIC” as a natural or juridical person or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. There is control if the natural or juridical person or any other body decides on what information is collected, or on the purpose or extent of its processing. “PIP” refers to any natural or juridical person or any other body to whom a PIC may outsource or instruct the processing of personal data pertaining to a data subject.

Under the DPA, data sharing shall be allowed when it is expressly authorised by law, and there must be adequate safeguards in place for data privacy and security.

The DPA allows data sharing in the private sector if the data subject consents to data sharing, and the following conditions are complied with.

• Consent for data sharing must be required even when the data is to be shared with an affiliate or mother company, or similar relationship.
• Data sharing for commercial purposes, including direct marketing, must be covered by a data sharing agreement (DSA).
• The data subject must be provided with the following information prior to collection or before data is shared:
1. identity of the PICs or PIPs that will be given access to the personal data;
2. purpose of the data sharing;
3. categories of personal data concerned;
4. intended recipients or categories of recipients of the personal data;
5. existence of the rights of data subjects; and
6. other information that would sufficiently notify the data subject of the nature and extent of data sharing and the manner of processing.

The DPA also mandates that sharing between government agencies for the purpose of a public function or provision of a public service must also be covered by a DSA.

DSAs are required to provide an overview of the operational details of the data sharing, including the procedure the parties intend to observe in its implementation. Where the recipient is allowed to disclose the shared data, or grant public access to it, this must be established clearly in the DSA. Where disclosure or public access is facilitated by an online platform, the program, middleware and encryption method used should also be identified. Any other information that would sufficiently inform the data subject of the nature and extent of data sharing and the manner of processing involved should also be provided.

In addition, DSAs must include rules for the retention of shared data and identify the method to be adopted for the secure return, destruction or disposal of the shared data, and the timeline therefor. Adequate safeguards to protect personal data should likewise be put in place in every DSA. Where online access to personal data is granted, the parties should ensure that said access is secure through the use of any appropriate program, software or any other means.

No one statute or series of statutes would apply to the mass media industry as a whole. Rights, obligations and requirements are contained in different statutes and regulations which regulate this industry, including content-based regulations and regulatory requirements for an entity to provide audio-media visual services in the Philippines.

Content-based regulations on traditional media are handled by several government agencies, such as the Movie and Television Review and Classification Board (MTRCB), the Optical Media Board, and the National Council for Children’s Television. Currently, the MTRCB’s authority is limited only to television and movies and does not include online mass media.

Regulatory requirements for the provision of audio-visual media services fall within the powers of the Philippine Congress and the National Telecommunications Commission (NTC).

Traditional Mass Media

In the Philippines, the ownership and management of mass media (eg, TV and radio) companies is limited to Philippine nationals or corporations, partnerships or associations wholly owned by Philippine nationals only. Mass media is defined as any medium of communication (ie, newspapers, radio, television, films, movies, wire and radio communication) designed to reach the masses and set their standards, ideals and aims. Mass media services include the gathering, transmission and distribution of news, information, messages, signals and all forms of written, oral and visual communication services.

Mass media companies are required to be corporations established in the Philippines and must secure a franchise from the Philippine Congress and the appropriate permits from the NTC, particularly a Certificate of Public Convenience and Necessity (CPCN).

A Congressional Franchise is the principal authority for a mass media company to construct, operate and maintain audio-visual media services in the Philippines. The term of the franchise is set for a period of 25 years and renewable upon application, unless sooner revoked or cancelled. The franchise grantee cannot lease, transfer, sell or assign the Congressional Franchise or the rights and privileges acquired thereunder to any corporation, or merge with any corporation, without the prior approval of the Philippine Congress. A Congressional Franchise is granted in the form of a Philippine statute, is approved through the same process as any other Philippine statute, and requires compliance with publication requirements.

Once enfranchised, the mass media company should obtain the necessary permits by filing a petition for the issuance of a CPCN with the NTC. During the application process, the mass media company is required to prove its legal, financial and technical capabilities, as well as the economic viability of the proposed operations. The applicant may secure a provisional authority (PA) to operate from the NTC while the CPCN application is pending evaluation/assessment. Once the mass media company is granted a PA, it may commence its operations, subject to the outcome of the CPCN application. A CPCN is coterminous with the franchise unless revoked or cancelled for violation of its terms and conditions.

Online Mass Media

Except for those offences punishable under the Cybercrime Prevention Act of 2012 (RA No 10175) and the Anti-Child Pornography Act (RA No 9775), there are generally no regulations governing internet usage or online media. The Philippine government would likely apply the same requirements to digital platforms, including nationality restrictions. The controversy on whether the use of digital platforms to broadcast news, information and videos is considered mass media in the Philippines remains unsettled.

However, the Securities and Exchange Commission (SEC) clarified that the use of the internet is not considered mass media per se. It is the use of the internet as a digital platform or medium to disseminate information and ideas to the public which would constitute a mass media undertaking. Currently, the distribution of television shows and movies is covered under the term “mass media” and will be subjected to nationality restrictions against foreign ownership. Depending on the type of services being provided, an authorisation may be required to be secured with the relevant government agencies prior to operation.

With the 2022 amendment of the Public Service Act (RA No 11659) (PSA), several changes were made to the scope and applicability of telecommunications regulations including the relaxation of foreign ownership restrictions on public telecommunications entities (PTEs). However, operating entities are still required to undergo the same regulatory requirements to operate as a PTE. Notwithstanding the long-awaited amendment to the archaic PSA, several regulations on the telecommunications industry are still relevant and applicable.

Relaxation of Foreign Ownership

Under the amendment, PTEs are no longer classified as public utilities subject to the constitutional requirements on Philippine nationality, but as a public service owning critical infrastructure. Foreigners may now own 100% of the outstanding capital stock of PTEs provided reciprocity conditions are met. Nevertheless, nationality restrictions are still imposed under certain conditions, such as when the reciprocity requirement is not met, if the investor is an entity controlled or acting on behalf of a foreign government or foreign state-owned enterprises, and if the investor is a sovereign wealth fund or independent pending funds of states. The amendment to the PSA, however, does not appear to have removed the requirement for PTEs to obtain a legislative franchise and other licences from the NTC, including the CPCN.

Another telecommunications law-related change under the PSA amendment is the carving out of a value-added service (VAS) provider and passive telecommunications tower infrastructure (PTTI) provider from the term “telecommunications”. This notwithstanding, existing rules and regulations governing VAS and PTTI are still applicable.

Passive Telecommunications Tower Infrastructure

The DICT issued Policy Guidelines on the Co-Location and Sharing of PTTI (DICT Circular No 008) (the “PTTI Policy”) to govern the co-location and sharing of PTTIs by independent tower companies (ITCs) and mobile network operators (MNOs). PTTI refers to all types of outdoor non-electronic telecommunications infrastructure or civil works that are utilised for the purposes of mounting antennas, transmitters/receivers, radio frequency modules and other radio communications systems (such as macro cell sites) for the rendition of ICT services in the telecommunications network.

Except for MNOs with a Congressional Franchise and CPCN, all entities intending to establish or operate one or more shared PTTI is required to register as an ITC and secure an ITC Certificate of Registration (COR) with the DICT. The ITC COR is valid for five years, and renewable for the same period upon proper application, unless sooner revoked or cancelled due to the ITC’s violation of relevant laws, departmental orders, circulars, rules and regulations, or other justifiable reasons.

Under the PTTI Policy, an ITC applicant is required to have the relevant construction experience, registration, licence and financial capacity of, or equivalent to, a contractor falling under Category A or higher of the Philippine Contractors Accreditation Board (PCAB).

Value-Added Service

Unlike PTEs, a VAS provider is not required to secure a Congressional Franchise or a CPCN. It is, however, required to secure a COR from the NTC. “VAS provider” is defined as an entity which, relying on the transmission, switching and local distribution facilities of the local exchange and inter-exchange operators, and of overseas carriers, offers enhanced services beyond those ordinarily provided for by such carriers. The following services are classified as VAS:

• messaging services – includes all types of messaging services such as short messaging service (not more than 160 characters), messaging service (more than 160 characters), multimedia messaging service (allowing the sending and receiving of multimedia messages such as video, graphics and audio clips), and unified messaging service (allowing voice messages to be stored in the mailbox along with email, and that can be accessed through an email client or via telephone with a telephone user interface);
• audioconferencing – allows conferencing between two or more participants at different sites by using networks to transmit audio;
• audioconferencing and videoconferencing – allows conferencing between two or more participants at different sites by using networks to transmit audio and video data;
• voice mail service – refers to an email system that supports audio where users can leave spoken messages for one another and listen to the messages by extending appropriate commands in the email system;
• electronic mail service – a store and forward method of composing, sending, storing and receiving messages over an electronic communications system;
• information service – includes all types of information delivered to/accessed by users/subscribers, such as road traffic information, financial information, visa application information and other information of a similar nature;
• electronic gaming services except gambling – allows a user to play games online;
• applications service – includes all types of applications delivered to/accessed by the users/subscribers, such as mobile banking, electronic payments, point of sale service, etc;
• content and program service – includes all types of content delivered to/accessed by users/subscribers, such as music, ringtones, logos, video clips and other content of a similar nature;
• audiotext service – a system where consumers dial a phone number and navigate a voicemail-like system to get desired information;
• facsimile service – allows a consumer to send and receive documents through the electronic communications network;
• virtual private network service – a communications network tunnelled through another network and dedicated to a specific network (secure communication through the public internet is a common application); and
• hosting service – allows a service provider to host in its facilities websites and private branch exchanges (PBX).

The COR is valid for a maximum period of five years, subject to renewal upon application. Applicants for a VAS licence may opt to apply for a shorter period than five years, but not for less than one year.

Technologies such as Voice over Internal Protocol (VoIP) services, while considered a VAS service, are covered by separate regulations and requirements. VoIP is a type of voice communication using the internet (ie, internet protocol technology), instead of the traditional circuit switch technology. Similar to other VAS providers, VoIP service providers and resellers are required to register as such with the NTC. The COR is valid for one year, and renewable thereafter.

Undertakings, rights and obligations, liabilities, representations and warranties, termination and indemnity provisions are the most common provisions the parties will find in any agreement, whether it is a share purchase, purchase/acquisition of goods or assets, or service agreement. In the Philippines, agreements are generally governed by the contractual stipulations of the parties. However, some of the considerations, risks and look-outs that IT service providers must take into account when entering into agreements with local organisations are as follows.

Government Contracts

Governmental procurement of goods and consulting services are governed by the Government Procurement Reform Act (RA No 9184). As a general rule, governmental procurement for goods must undergo competitive bidding. However, in highly exceptional cases, alternative modes of procurement can be resorted to, such as limited source bidding, direct contracting and negotiated procurement.

Technology Transfer Agreements

IT service agreements that contain provisions regarding the transfer of technology – ie, a technology transfer agreement (TTA) – must comply with the requirements under the IP Code, and its implementing rules and regulations. An IT service agreement would be considered a TTA if the contract or agreement involves the transfer of systematic knowledge for the manufacture of a product, the application of a process, or the rendering of a service including management contracts, and if it involves the transfer, assignment or licensing of all forms of intellectual property rights, including licensing of computer software, of the agreement.

TTAs are required to contain the mandatory clauses and none of the prohibited clauses listed under the IP Code. Additionally, under the IP Code, TTAs are required to contain provisions regarding tax liability of the licensor, continued access to improvement, and governing law, which should be Philippine law. In addition, if the TTA has an arbitration clause, the TTA must include the arbitration rules applicable and the seat of arbitration. The IP Code prohibits provisions and clauses which will have an adverse effect on competition and trade, such as, but not limited to:

• price fixing;
• restriction on volume and structure of production;
• free grantback;
• payment for unused or expired patents;
• non-contestability of patents;
• export restrictions; and
• hold harmless provisions.

A TTA that fails to comply with the mandatory and prohibited provisions of the IP Code is unenforceable in Philippine courts unless an application for exemption (under exceptional or meritorious cases) was filed and approved by the Documentation, Information and Technology Transfer Bureau of the Intellectual Property Office of the Philippines.

Data Privacy and Security

Data privacy and data security are global concerns that any IT service provider may face when processing the data of local organisations, particularly the personal or sensitive personal data of the clientele of local organisations. The DPA (RA No 10173) is the primary law governing the protection and processing of personal data in the Philippines. The processing of personal information is allowed subject to compliance with the requirements of the DPA and other laws allowing disclosure of information to the public, and adherence to the principles of transparency, legitimate purpose and proportionality.

It is common for PICs to outsource the processing of personal and sensitive personal data of data subjects. While being outsourced to the PIP, PICs are responsible for ensuring that proper safeguards are in place to ensure the confidentiality of the personal information processed and to prevent its use for unauthorised purposes. In processing personal and sensitive personal information, the PIP and PIC must comply with data security requirements under the DPA, which include:

• implementing reasonable and appropriate organisational, physical and technical security measures for the protection of personal data; and
• implementing security measures aimed at maintaining the availability, integrity and confidentiality of personal data and that are intended for the protection of personal data against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.

Likewise, in the case of a data breach, the PIC and/or the PIP is required to report the occurrence of a personal data breach within 72 hours upon knowledge thereof, or when there is reasonable belief by the PIC or PIP that a personal data breach requiring notification has occurred.

The IRR of the DPA and the issuance by the NPC set out the security-related measures, security breaches and policies on cybersecurity that local organisations and IT service providers must comply with. Thus, in order to comply with the obligations under the DPA IRR and NPC issuances, local organisations may require that specific undertakings, warranties and indemnities to carry out security measures and to report security breaches are included in the service agreement with the IT service provider.

Sector-Specific Regulations

While private-sector IT service agreements are generally governed by the contractual stipulations of the parties, IT service providers may be required to comply with certain standards and requirements for regulated industries, such as banking and insurance.

For example, the BSP has issued specific guidelines for BSFIs, such as banks and non-bank financial institutions that outsource certain services or activities, to have access to certain areas of expertise or to address resource constraints (including IT functions or services) to third parties.

While IT outsourcing transfers operational responsibility to the service provider, BSFIs retain ultimate responsibility for the outsourced activity. As such, the IT service provider may be required to comply with the BSFI’s policies and guidelines on outsourcing, risk management, business continuity and IT risk management (eg, IT audit, information security, IT operations, vendor management, disaster recovery plan, etc) by way of contractual obligations in the service level agreement.

The COVID-19 pandemic accelerated digital transformation globally, including the acceptance of the use of electronic signatures (“e-signatures”) and digital signatures. With the work-from-home restrictions being imposed by the Philippine government, businesses, clients and consumers were forced to learn and to use e-signatures instead of the traditional methods of physically signing documents in “wet ink”. However, the use of e-signatures existed long before the pandemic began.

In the early 2000s, the Philippines approved the E-Commerce Act (RA No 8792) and issued its IRR. This centerpiece of legislation was designed to clear up doubts regarding the validity and enforceability of the use of e-signatures.

Under the E-Commerce Act, e-signatures/digital signatures on an electronic document shall be the functional equivalent to the signature of a person on a written document for as long as it can be shown that it was made through a prescribed procedure not alterable by the parties. While used interchangeably in the Philippines, e-signatures and digital signatures are not identical and do not mean the same thing. Philippine law provides a delineation on the terms “e-signature” and “digital signature”.

Distinction Between E-signatures and Digital Signatures

An e-signature refers to any distinctive mark, characteristic and/or sound in electronic form, representing the identity of a person and attached to the electronic document or electronic message, where the distinctive mark was executed or adopted by such person with the intention of authenticating, signing or approving the electronic document or electronic message.

A digital signature is a type of e-signature consisting of a transformation of an electronic document or electronic message using an asymmetric or public cryptosystem. Otherwise stated, a digital signature is a type of e-signature that encrypts a document with digital codes and relies on a public-key cryptography to support identity authentication and to provide data and transaction integrity. 

Digital signatures are safer and ensure greater protection for both parties to a transaction/document. The application being used to affix the digital signature creates a digital-based certification which shows that the digital signature was affixed, the identity of the signatory, and whether there were any alterations made to the electronic document/message after the transformation was made. No such protection and verification mechanisms are included in the traditional “e-signature” as this may be affixed by merely copying and pasting such signatures into the electronic document.

Notably, in 2022 the DICT created and launched the Philippine National Public Key Infrastructure (PNPKI). PNPKI is software that creates a digital certificate that identifies people, organisations and machines electronically. 

Authenticating E-signatures and Digital Signatures

While there is a distinction between the application of e-signatures and digital signatures, both types of signature are authenticated in the same way, through the following:

• by evidence that a method or process was utilised to establish a digital signature, and verifying this;
• by any other means provided by law; or
• by any other means satisfactory to the judge as establishing the genuineness of the electronic signature.

Once duly authenticated, the Philippine courts admit an electronic/digital signature affixed to an electronic document as the functional equivalent of a “wet ink” signature. Likewise, when an electronic or digital signature is authenticated, the following presumptions arise (unless contradicted and overcome by other pieces of evidence).

• For an e-signature:
1. the e-signature is that of the person to whom it correlates;
2. the e-signature was affixed by that person with the intention of authenticating or approving the electronic document to which it is related or to indicate such person’s consent to the transaction embodied therein; and
3. the methods or processes utilised to affix or verify the e-signature operated without error or fault.
• For the digital signature:
1. the digital signature is that of the person to whom it correlates;
2. the digital signature was affixed by that person with the intention of authenticating or approving the electronic document to which it relates or to indicate such person’s consent to the transaction embodied therein;
3. the methods or processes utilised to affix or verify the digital signature operated without error or fault;
4. the information contained in a certificate is correct;
5. the digital signature was created during the operational period of a certificate;
6. no cause exists to render a certificate invalid or revocable;
7. the message associated with a digital signature has not been altered from the time it was signed; and
8. a certificate had been issued by the certification authority indicated therein.

Using E-signatures/Digital Signatures in the Philippines

Except for documents that require certain formalities, there is no requirement or restriction on using e-signatures/digital signatures. Documents such as letters, memoranda and agreements can be signed using e-signatures/digital signatures. While there is no legal impediment to doing so, not all government offices in the Philippines accept documents signed electronically. Government offices would normally still require that the documents submitted to their offices be in “wet ink”.

While this is the case, some government agencies are starting to accept documents that are electronic/digitally signed. In 2021, the SEC started accepting the electronically signed audited financial statements of companies. Likewise, the Bureau of Internal Revenue has also begun accepting the e-signatures of taxpayers in certain types of submitted forms and certificates.

A notarised document is an example of a document that requires certain formalities. Notarised documents cannot be in electronic form; consequently, e-signatures/digital signatures cannot be affixed. Notarised documents must be signed in wet ink and presented before a notary public in the Philippines.